Equifax Hack: Keep Your Friends Close, but Your Supply Chain Closer

After more than 145 million customer records were compromised in the Equifax data breach, the company’s stock plummeted by more than 30 percent. That amounted to market capitalization losses north of $5 billion. The hack was one of the largest in history, and the records stolen included Social Security and driver’s license numbers.

And yet, that could be just a drop in the bucket compared to the fallout yet to come. It wasn’t just Equifax that was hacked. Suppliers to Equifax may also be at risk of compromise, which could expose the information of millions of more customers.

For instance, both Visa and MasterCard recently sent alerts to banks notifying them about 200,000 credit cards that may have also been compromised. Indeed, there’s been a spike in attempted credit card fraud this August, with a 15 percent increase year-over-year. A similar period of rampant identify theft was also observed after the Target breach of 2013, which occurred thanks to a vulnerability in a third-party supplier.

Visa and MasterCard – which both explicitly blamed Equifax – may be the first of many companies to come forward with statements that their data was also compromised in the Equifax data breach. Any company that has interacted with Equifax is at risk.

The risk that companies inherit from their suppliers is a pervasive problem for cyber security. Dynamic supply chains are a necessity in today’s fast-paced business environment, but every new supplier expands a company’s threat surface.

Compounding the problem is the fact that companies have no oversight of the level of security of their suppliers’ networks. They have no way of monitoring the risks involved, yet cannot afford to hinder productivity.

The assessment of potential supply chain partners is often a rushed process in terms of evaluating their cyber security level, and is rarely as in-depth as it should be. In the same way that lenders use FICO credit scores to assess credit risk, companies should adopt a similar system to assess cyber risk. At the heart of this system must be the capability to monitor cyber risk continually, not just as a one-off, and adaptively, to keep pace of the changing digital environment and evolving risks.

Attacks happen every day, and a company’s adversaries can change drastically from one month to the next. So in order to make the most informed business decisions and detect supply chain risks at the earliest possible stage, we need to have complete visibility into the potential risks and threats associated with partnering with a given vendor.

That drives to the heart of the issue – we can’t change the resilience of our suppliers against cyber-attackers directly, but we can have a transparent relationship when it comes to cyber risk. Under such a paradigm, we would be alerted to the early warning signs of cyber risk in a third-party supplier, and we would be able back out of partnership if the risk is deemed too high.

An early warning sign could involve a device beaconing out to C2 infrastructure, dormant malware quietly profiling network defenses, or a vulnerability in a company’s cloud storage practices that puts passwords and intellectual property at risk. Without visibility into these threats, companies are forced to trust their suppliers without fully understanding the risk involved.

My company recently worked with an organization hosting a major event, and we detected a device on their network beaconing to a rare external destination. Since the device in question was owned and operated by a third-party– the local police department to be exact – the organization’s network defenses failed to identify the threat. Especially when third-parties are integrated onto the network like this, threats are bound to slip through the cracks, and the Equifax hack demonstrated how easy it is for a subtle threat to develop into a debilitating data breach.

There was little Equifax’s supply chain partners could have done to prevent being potentially implicated with the data breach. However, they can get smarter about understanding the risks and vulnerabilities that each partnership entails. If they had this real-time awareness, they would have been in a better position to see and deal with the vulnerabilities at an early stage, before data was compromised. To the cost of Equifax’s 145.5 million customers and their supply chain, this was clearly not the case.

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.